Report: Government Agencies Must Step Up Security

The White House push to secure the U.S. digital infrastructure does not
exclude IT systems of federal agencies, according to the Office of Management and
Budget (OMB), which released its Federal Government Information Security Report
to Congress this week.

The OMB is required to submit the yearly report to Congress as part of the Federal
Information Security Management Act, which requires agencies to maintain adequate IT
security in both new and existing IT systems.

According to the report, only half of the 24 federal government departments meet the
minimum criteria for compliance with FISMA standards.

In its address to Congress this week, the OMB urged agencies to be proactive and
spend budget money now to improve security of IT systems, rather than upgrading legacy
systems and worrying about security later. The OMB said senior agency officials in government
departments will be held accountable in the future if systems fail to comply with minimum
security standards.

Lobbying Pressures

Eric Hemmendinger, director of security research at Aberdeen Group, said the critical
report is likely the result of heavy lobbying in Washington, D.C. by private security
firms in recent years.

"If I was to take the cynical approach, I'd say that the lobbying by private firms
is starting to pay off," Hemmendinger told the E-Commerce Times. "These firms represent
security vendors who realize that federal government security for the most part is
woefully inadequate."

Good PR

Hemmendinger added that the OMB essentially is embarking on a public relations campaign to raise the level of awareness about the need to improve security in agency IT systems.
"This is no mandate to spend money to upgrade government security," he said.
"Rather, it is a communications campaign run by the Bush White House.

"By creating awareness, the OMB has shown that security is on the radar and government
departments need to keep it in mind," he added.

Expressing some skepticism about the process, Hemmendinger also noted that placing IT
security "on the radar" should please the lobbying fraternity, as it does not hurt to
have good relations with the Bush White House in an election year.

Due to the reporting requirements for FISMA, the OMB now has three years of
benchmarking data to assess progress in IT security and suggest improvements.

Proactive Security Management

For his part, Yankee Group senior analyst Eric Ogren said proactive management of
security needs is vital in both the enterprise and government sectors.

"Security teams that once reacted to security incidents now are proactively addressing
network security throughout the life cycle, from vulnerability discovery all the way to
confirmation of a deployed correction," Ogren told the E-Commerce Times.

Opportunities exist for private companies to take advantage of the need to more
proactively secure government IT systems, particularly through outsourced managed
security and vulnerability services.

The Yankee Group expects the managed security market will swell to nearly
$190 million by 2006, he said.